The mechanism by which EmpowerID secures a workflow and the operations within that workflow is known as “Rights-Based Approval Routing” or RBAR. With RBAR, EmpowerID checks in real-time to see if the current person within a workflow process has the delegations needed to perform the operations associated with that process. If the person has the delegations, the process continues; if the person does not have the delegations, the process either exits or routes for approval to someone with the delegations needed to approve the operation. In EmpowerID, these delegations are controlled through the assignment of Access Levels. Before people can access a workflow or perform an operation within that workflow, they must have an Access Level assignment that allows them to do so. These assignments can be made directly to users or more commonly through membership in a Management Role that is configured with the Access Level.
EmpowerID restricts access to the IAM Shop through the use of Management Roles. To access the IAM Shop, users must be assigned to the appropriate roles. Management Roles are prefixed by their function in EmpowerID and include the following:
UI – – Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface.
VIS – – Management Roles prefixed with VIS grant users the ability to see specific object typesobjects in EmpowerID.
ACT – – Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID.
...
.
Roles needed to
...
shop in the
...
IAM Shop
To access the IT shop for eligible resources in the IAM Shop, users need to have one or more of the below Management Role assignments (based on the needed scope):
Management Role |
---|
Role Type | Description |
---|---|
UI-IT-Shop-MS- |
Inherits the below Access Levels from the parent Management Role Definition:
Workflow Access
Initiator Access Level for following workflows:
UpdatePersonDirectAssignment
UpdatePersonBusinessRoles
Control (User Interface) Access
Viewer Access Level for the following controls:
Application Process Control
Business Roles TCode Control
Business Roles Owners Attribute Control
Business Roles Advanced Search Control
Business Roles Role Approvers Attribute Control
Application Roles Resource System Attribute Control
Business Roles Name Attribute Control
Target System Control
Application Roles TCode Control
Application Roles Advanced Search Control
Shop for Target Person Control
Business Functions Control
Business Roles Parent Business Roles Attribute Control
Application Roles Owners Attribute Control
Application Roles High Level Classification Attribute Control
Business Domains Control
Business Roles High Level Classification Attribute Control
Application Roles Name Attribute Name
Application Access
Viewer Access Level for the following applications:
IT Shop Microservice App
EmpowerID Web
Web Service Access
Executor Access Level for the following Web services:
All ITShop WebServices
AllRbacObjects
CartSubmissinoAPI.SubmitCart
Pages and Reports Access
Viewer Access Level for the following pages and reports:
Groups Page (IT Shop)
Business Roles Page (IT Shop)
VIS-IT-SHOP-MS-API
Grants visibility to the base Web services required by all users of the IT Shop microservice.
Web Service Access
Executor Access Level for the following Web services:
BusinessFunctionsAPI
BusinessFunctionsAPI.GetChildrenByOrgZoneType
BusinessFunctionsAPI.GetOrgZonesByOrgZoneTypeTypes
BusinessLocationsAPI.GetOrgZoneTypes
BusinessLocationsAPI.Search
BusinessRolesAPI
BusinessRolesAPI.CheckAssignmentStatus
BusinessRolesAPI.GetApplicationRoleTemplates
BusinessRolesAPI.GetAssignedAppRolesByPersonGUID
BusinessRolesAPI.GetAssignedBusinessRolesByPersonGUID
BusinessRolesAPI.GetOrgRole
BusinessRolesAPI.GetOrgRoles
BusinessRolesAPI.GetSingleOrgRole
CartSubmissionAPI
CartSubmissionAPI.SubmitCart
CheckForSODAPI
CheckForSODAPI.GetAssigneesForOrgRoleType
GlobalSettingsAPI
GlobalSettingsAPI.GetConfigSetting
GroupsAPI
GroupsAPI.CheckAssignmentStatus
GroupsAPI.GetAssignedAppRolesByPersonGUID
GroupsAPI.GetAssignedMembershipByOrgRolesOrgZoneID
GroupsAPI.GetGroups
GroupsAPI.GetSingleOrgRole
GroupsAPI.GetTargetSystemsFilterdata
LocalizationAPI
LocalizationAPI.CountryHelpText
LocalizationAPI.GetByResourceSet
ProtectedAppResourceAPI
ProtectedAppResourceAPI.AlllowedSsoApplications
ProtectedAppResourceAPI.GetChildrenByProtectedApplication
...
Application | Feature Set (Ui) | Grants access to shop for access to Applications in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and workflows:
| |||||||
UI-IT-Shop-MS-Application Role | Feature Set (UI) | Grants access to shop for Application Roles (Groups) in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:
| |||||||
UI-IT-Shop-MS-Azure-Admin-Role | Feature Set (UI) | Grants access to shop for Azure Admin Directory Roles in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:
| |||||||
UI-IT-Shop-MS-Azure-License | Feature Set (UI) | Grants access to shop for Azure Licenses in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:
| |||||||
UI-IT-Shop-MS-Azure-RBAC-Role | Feature Set (UI) | Grants access to shop for Azure RBAC Roles in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:
| |||||||
UI-IT-Shop-MS-Business-Role | Feature Set (UI) | Grants access to shop for Business Roles in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:
| |||||||
UI-IT-Shop-MS-Common | Feature Set (UI) | Grants access for common/shared UI and APIs used by the IAM Shop. The role specifically grants access to the following applications, user interface controls, and web services:
| |||||||
UI-IT-Shop-MS-Full-Access | Feature Set (UI) | Grants access to all Item Types and UI in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, web services and workflows:
| |||||||
VIS-IT-Shop-MS-API | Visibility (VIS) | Grants access to the base web services required by all users of the IAM Shop Microservice. The role specifically grants access to the following web services:
| |||||||
IAM Shop, My Tasks, and My Identity Self-Service Full Access | Role Bundle – Contains the below Management Roles:
| Grants full access for using the IAM Shop, My Tasks, My Identity microservices. |
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|